An update for libvirt is now available for Red Hat Enterprise Linux 6.5Advanced Update Support.

Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

The libvirt library contains a C API for managing and interacting with thevirtualization capabilities of Linux and other operating systems. Inaddition, libvirt provides tools for remote management of virtualizedsystems.

Security Fix(es):

* An industry-wide issue was found in the way many modern microprocessordesigns have implemented speculative execution of instructions (a commonlyused performance optimization). There are three primary variants of theissue which differ in the way the speculative execution can be exploited.Variant CVE-2017-5715 triggers the speculative execution by utilizingbranch target injection. It relies on the presence of a precisely-definedinstruction sequence in the privileged code as well as the fact that memoryaccesses may cause allocation into the microprocessor's data cache even forspeculatively executed instructions that never actually commit (retire). Asa result, an unprivileged attacker could use this flaw to cross the syscalland guest/host boundaries and read privileged memory by conducting targetedcache side-channel attacks. (CVE-2017-5715)

Note: This is the libvirt side of the CVE-2017-5715 mitigation.

Red Hat would like to thank Google Project Zero for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to: